If you've got an old macOS install image, it will probably stop working today

Posted:
in macOS edited October 2019
If you're like us, you've got a pile of macOS installers of various vintages lying about ready to go at a moment's notice. The problem with that is, the certificates on most of them them expire today, making them useless.

The expiring certificate on macOS Mojave update 10.14.6 - photo credit Medium
The expiring certificate on macOS Mojave update 10.14.6 - photo credit Medium


So here's what's going on -- Apple has security certificates on installers for macOS. Nearly all of these for older versions of the operating systems expire at some point on Thursday. It's not Apple's root certificate -- which would be worse -- but the primary and intermediate certificates that are expiring.

This means that all of those USB sticks that you've pre-loaded installs that you made that aren't Catalina are probably not going to work when you need them to. So, it's time to update them.

But maybe not just yet, though. As pointed out by a post on Medium, and confirmed just before we took this article live, the macOS Mojave 10.14.6 updater presently available through Apple has the old certificate. Therefore, you can download it now, but it won't work if you do, because it won't validate as it is after 1:29 PM Eastern time -- when the package expired.

Installed operating systems are fine, so there's nothing to worry about there. But, if you try to run an installer, you'll get a warning that the copy of the installer may be damaged, or will just fail to open because the package isn't trusted any more.

So, if you're a system administrator, or just like to be prepared, there's a little work to do to keep your tools functional. You may just want to wait until after October 24 to do it.

This has all happened before, and it will happen again. Fortunately, at least for the operating systems, you won't have to do it again until 2029 after you get the new images.
«1

Comments

  • Reply 1 of 30
    coolfactorcoolfactor Posts: 2,239member
    The intermediate "Apple Software Update Certification Authority" certificate expiration seems to be a concern. Wouldn't they keep that one renewed? Is this an oversight?

    Certificates are managed at the Certificate Authority. Wouldn't Software Update reach out to see if there's a renewed certificate in the same way that browsers do for websites? But then again, certificates are stored within website hosting environments, so if the same happens for these software packages (the certificate bundled within), that does pose a problem.

  • Reply 2 of 30
    coolfactorcoolfactor Posts: 2,239member
    Hey AppleInsider, to get a clean capture of windows, do this:
    1. Command-Shift-4. (with or without Option key)
    2. Press the Space bar.
    3. Hover over the window that you want to capture.
    4. Click.
    This works for Quick Look windows, too.


    muthuk_vanalingamdjames4242
  • Reply 3 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    Hey AppleInsider, to get a clean capture of windows, do this:
    1. Command-Shift-4. (with or without Option key)
    2. Press the Space bar.
    3. Hover over the window that you want to capture.
    4. Click.
    This works for Quick Look windows, too.


    I know. Not our capture. Note the photo credit.
    muthuk_vanalingamdjames4242watto_cobra
  • Reply 4 of 30
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    fastasleepGG1MisterKitquadra 610dysamoriadjames4242doozydozenleftoverbaconzhirorussw
  • Reply 5 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    edited October 2019 apres587doozydozenwatto_cobra
  • Reply 6 of 30
    rob53rob53 Posts: 3,241member
    If you use the recovery disk installer will it still work? I would hope it would work on a Mac that is running that software and can’t run anything newer. 
    watto_cobra
  • Reply 7 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    rob53 said:
    If you use the recovery disk installer will it still work? I would hope it would work on a Mac that is running that software and can’t run anything newer. 
    The old USB one that Apple alternately sold and/or gave away depending on year or model? I don't think so, but mine is long, long gone...
    watto_cobra
  • Reply 8 of 30
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    zhirowatto_cobra
  • Reply 9 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    edited October 2019 doozydozenwatto_cobra
  • Reply 10 of 30
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.).  Where do we get those?
    dysamoriazhiro
  • Reply 11 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    ITGUYINSD said:
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.).  Where do we get those?
    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
    edited October 2019 kevin keeElCapitanirelanddoozydozenzhiro
  • Reply 12 of 30

    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.

    Thanks so much for these details.  But is it likely that Apple would update any of theses?
    watto_cobra
  • Reply 13 of 30
    ITGUYINSD said:
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.).  Where do we get those?
    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
    Thanks.  The links are appreciated.
  • Reply 14 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    jdiamond said:

    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.

    Thanks so much for these details.  But is it likely that Apple would update any of theses?
    They already have.
    dysamoriadoozydozen
  • Reply 15 of 30
    rob53rob53 Posts: 3,241member
    rob53 said:
    If you use the recovery disk installer will it still work? I would hope it would work on a Mac that is running that software and can’t run anything newer. 
    The old USB one that Apple alternately sold and/or gave away depending on year or model? I don't think so, but mine is long, long gone...
    No, I’m talking about using the Recovery partition and grabbing the OS install from there. It might use a network install tied to the model of Mac you have. 
  • Reply 16 of 30
    ITGUYINSD said:
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.).  Where do we get those?
    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
    And (for me at least) each link comes back with:
    "This copy of the install MacOS XYZ application is damaged, and can't be used to install macOS"
  • Reply 17 of 30
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    rob53 said:
    rob53 said:
    If you use the recovery disk installer will it still work? I would hope it would work on a Mac that is running that software and can’t run anything newer. 
    The old USB one that Apple alternately sold and/or gave away depending on year or model? I don't think so, but mine is long, long gone...
    No, I’m talking about using the Recovery partition and grabbing the OS install from there. It might use a network install tied to the model of Mac you have. 
    Oh, the recovery partition and internet recovery. That should be fine, assuming Apple has updated all the images. Looks like they're not quite done, though.
  • Reply 18 of 30
    It seems a bit weird to me.  I run a small software company, and we sign our installers.  When we sign the installer, the signature is timestamped.  The certificate only needs to be valid at the time of timestamping.  If you don't sign with a timestamp, then yes the signed installer is only valid for as long as the certificate is valid - but that's why you sign with a timestamp.  It's pretty standard across the industry.  It's why you can still install microsoft patches years later, or my own companies software.

    I guess Apple have done this deliberately to ensure old installers expire, but that's pretty poor behaviour.  How many Mac Admin's are today downloading / updating their cache of installers?  How many man hours of wasted time?  You can probably measure the drop in productivity against US GDP.  It should be a crime to force us all to waste so much effort.  Force employers all over the country to have their staff unproductive for a few hours - how about 4 hours of income fined from Apple - how would they feel about that?
    dysamoriaBigDann
  • Reply 19 of 30
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Apple long since stopped signing the older installers ;-{ They only update the last two OS's now. Besides, its more work resetting up the installer USB drive.

    There's no risks here! As long as you reset the Date and Time back to auto the Apple time server will set things for you. I've done quite a few systems haven't encountered any issues over the last 10 years.
    dysamoriazhiro
  • Reply 20 of 30
    sumergo said:
    ITGUYINSD said:
    Samhain said:
    BigDann said:
    You know there is a very easy fix here!

    The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!

    As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
    Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.


    Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
    Most are available now, minus a few. They should all be available by tomorrow.

    The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
    Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.).  Where do we get those?
    Not a dumb question. The Medium post has most of them linked. Here they are:

    Sierra: https://support.apple.com/en-us/HT208202
    High Sierra: https://support.apple.com/en-us/HT208969
    Mojave: https://support.apple.com/HT210190
    The rest: https://support.apple.com/downloads

    Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
    And (for me at least) each link comes back with:
    "This copy of the install MacOS XYZ application is damaged, and can't be used to install macOS"
    Thats the certificate warning! Now alter your systems date to a date within the OS's life time and disable auto as my example above. Then run the installer again magic! It will install the OS. Now don't forget to reset your date.
    dysamoriamuthuk_vanalingam
Sign In or Register to comment.